SlideShare a Scribd company logo
1 of 115
Download to read offline
libmalloc exploitation
MacOS memory allocator

Angelboy
@scwuaptx
Outline
• OSX memory allocator

• Tiny

• Data Structure

• mechanism

• Small

• Data Structure

• mechanism

• Exploitation
OSX memory allocator
• libmalloc

• It can be divided into

• Tiny ( <=1008 )

• Small ( <=128k )

• Large
Outline
• OSX memory allocator

• Tiny

• Data Structure

• mechanism

• Small

• Data Structure

• mechanism

• Exploitation
Tiny
• block

• The smallest unit can be
allocated

• A block size is 0x10 in tiny region

• known as Quantum
block
Block
0x10
block
block
block
Tiny
• chunk (inused)

• basic data structure used by
malloc

• Consisting of numerous blocks

• There is no metadata in the inused
chunk
block 0x10
block
block
block
Chunk
block 0x10
block
block
block
Tiny
• chunk (freed)

• Previous

• Point to previous freed chunk in
linked list

• Next

• Point to next freed chunk in
linked list
Previous
Next
Msize
Chunk
…
Msize
…
Tiny
• chunk (freed)

• Previous and next are not raw
pointer but a checksum and a
shifted pointer

• Checksum =
SumofEverybytes(ptr^cookie) & 0xf
Previous
Next
Msize
Chunk
…
Msize
Previous >> 4
Checksum (4 bit)
Tiny
• chunk (freed)

• msize

• The size of freed chunk, it would be
after next pointer and the last two
byte of the chunk

• Size is in quantum unit

• For example, If the size of chunk
is 0x40, then msize is 0x4 ( 1
quantum is 0x10, so msize = 0x40
>> 4)
Previous
Next
Msize
Chunk
…
Msize
Tiny
• tiny_region

• The memory pool of libmalloc 

• Region consist of numerous blocks

• Default

• Size of Region : 0x100000

• Number of block : 64520

• There are some metadata at the end
of region
Region
block (inuse)
Block (freed)
…
tiny_region_end
tiny_header_inuse_pair_t
region_trailer
tiny_header_inuse_pair_t
Block (freed)
previous
next
msize
……
msize
Tiny
• tiny_header_inuse_pair_t

• bitmap

• In the end of region

• It is used to represent the chunk state in
the region

• Header is used to indicate whether the
corresponding block is the head of
chunk

• Inuse is used to indicate whether the
chunk is inused
header
inuse
tiny_header_inuse_pair_t
0x0
0x4
Tiny
Region
block (inuse)
Block (freed)
…
tiny_header_inuse_pair_t
region_trailer
tiny_header_inuse_pair_t
Block (freed)
previous
next
msize
……
msize
……001011
……001001
Header
inuse
chunk
tiny_region_end
Tiny
• magazine

• The structure used to manage the chunk in
the region of tiny and small

• mag_last

• Libmalloc does not actually free (size <=
0x100) but is recorded in magazine. When
the next time you call free, it will actually
free the chunk.

• If you call malloc with same size as the
chunk in mag_last, it will use it first.

• Similar to cache.
magazine
padding
mag_last_free
mag_last_free_msize
mag_last_free_rgn
free_list[0]
…
…
free_list[x]
mag_bitmap[4]
mag_bytes_free_at_end
mag_bytes_free_at_start
mag_last_region
mag_num_bytes_in_objects
mag_bytes_in_magazine
Tiny
• magazine

• mag_last_free

• The last freed chunk

• mag_last_free_msize

• The size of the last freed chunk

• mag_last_free_rgn

• The region of the last freed chunk
magazine
padding
mag_last_free
mag_last_free_msize
mag_last_free_rgn
free_list[0]
…
…
free_list[x]
mag_bitmap[4]
mag_bytes_free_at_end
mag_bytes_free_at_start
mag_last_region
mag_num_bytes_in_objects
mag_bytes_in_magazine
Tiny
• free_list

• Linked lists to manage freed chunks

• Every 0x10 bytes as an unit

• There are 64 free_lists in Tiny

• Chunk size larger than tiny size will be
put in the last free_list

• Double linked list

• The first node will not point back to
magazine
magazine
padding
mag_last_free
mag_last_free_msize
mag_last_free_rgn
free_list[0]
…
…
free_list[x]
mag_bitmap[4]
mag_bytes_free_at_end
mag_bytes_free_at_start
mag_last_region
mag_num_bytes_in_objects
mag_bytes_in_magazine
Tinymagazine
padding
mag_last_free
mag_last_free_msize
mag_last_free_rgn
free_list[0]
…
…
free_list[x]
mag_bitmap[4]
mag_bytes_free_at_end
mag_bytes_free_at_start
mag_last_region
mag_num_bytes_in_objects
mag_bytes_in_magazine
previous
next
6
……
6
previous
next
6
……
6
previous
next
6
……
6
Tiny
• magazine

• mag_bitmap

• a bitmap used to represent
free_list

• mag_bytes_free_at_end

• the remaining size of the region
magazine
padding
mag_last_free
mag_last_free_msize
mag_last_free_rgn
free_list[0]
…
…
free_list[x]
mag_bitmap[]
mag_bytes_free_at_end
mag_bytes_free_at_start
mag_last_region
mag_num_bytes_in_objects
mag_bytes_in_magazine
Tiny
• magazine

• mag_num_bytes_in_objects

• The number of chunks in the
region

• mag_bytes_in_magazine

• The allocated size of the region
magazine
padding
mag_last_free
mag_last_free_msize
mag_last_free_rgn
free_list[0]
…
…
free_list[x]
mag_bitmap[]
mag_bytes_free_at_end
mag_bytes_free_at_start
mag_last_region
mag_num_bytes_in_objects
mag_bytes_in_magazine
Tiny magazine
Region
block (inuse)
Block (freed)
…
tiny_header_inuse_pair_t header (bitmap)
inuse (bitmap)
previous
next
msize
……
msize
magazine
padding
mag_last_free
mag_last_free_msize
mag_last_free_rgn
free_list[0]
…
…
free_list[x]
mag_bitmap[4]
Chunk
mag_bytes_free_at_end
mag_bytes_free_at_start
mag_last_region
mag_num_bytes_in_objects
mag_bytes_in_magazine
region_trailer tiny_header_inuse_pair_t
tiny_header_inuse_pair_t
tiny_region_end
Tiny
• tiny rack

• Used to manage magazine

• Types

• Determine whether the rack is tiny
or small

• num_regions

• The number of region belongs to
the rack
Types
…
num_regions
num_regions_deaclloc
region_hash_generation
initial_regions[64]
num_magazines
*magazines
cookie
last_madvise
tiny_rack
Tiny
• tiny rack

• num_magazines

• The number of magazines of the rack 

• magazines

• The magazines pointer of the rack

• cookie

• Checksum cookie for tiny rack
Types
…
num_regions
num_regions_deaclloc
region_hash_generation
initial_regions[64]
num_magazines
*magazines
cookie
last_madvise
tiny_rack
Tiny
• szone

• The core structure of libmalloc.

• It will record the system's various heap
information, thresholds and other
information.

• malloc_zone_t 

• virtual function table

• Cookie

• Same as the cookie in the tiny rack
szone
malloc_zone_t
…
debug_flag
…
tiny_rack
small_rack
…
cookie
szone
szone
malloc_zone_t
size()
malloc()
calloc()
valloc()
free()
…
debug_flag
…
tiny_rack
small_rack
…
cookie
malloc_zone_t
tiny rack
szone
malloc_zone_t
…
debug_flag
…
tiny_rack
small_rack
…
cookie
Types
…
num_regions
num_regions_deaclloc
region_hash_generation
initial_regions[64]
num_magazines
*magazines
cookie
last_madvise
magazinetiny_rack
padding
mag_last_free
mag_last_free_msize
mag_last_free_rgn
free_list[0]
…
…
free_list[x]
mag_bitmap[4]
mag_bytes_free_at_end
mag_bytes_free_at_start
mag_last_region
mag_num_bytes_in_objects
mag_bytes_in_magazine
Outline
• OSX memory allocator

• Tiny

• Data Structure

• mechanism

• Small

• Data Structure

• mechanism

• Exploitation
• When calling malloc, it will go through different processes according to
the size. When size < 1008 byte, it will use
tiny_malloc(tiny_malloc_should_clear)

• At first, it will check if (tiny_mag_ptr->mag_last_free_msize == msize)

• It will not unlink the chunk. In fact, this chunk is in the cache and is
not really free.
Tiny mechanism
Tiny mechanism
• When calling malloc, it will go through different processes according to
the size. When size < 1008 byte, it will use
tiny_malloc(tiny_malloc_should_clear)

• If no suitable chunk in cache, it will find chunk from free_list
(tiny_malloc_from_free_list)

• It will take the first one from the free_list and do unchecksum for next
pointer

• Abort if unchecksum failed
Tiny mechanism
• When calling malloc, it will go through different processes according to
the size. When size < 1008 byte, it will use
tiny_malloc(tiny_malloc_should_clear)
Tiny mechanism
• When calling malloc, it will go through different processes according to
the size. When size < 1008 byte, it will use
tiny_malloc(tiny_malloc_should_clear)

• If no suitable chunk in free_list, it will take from the smallest suitable
free_list

• It will be split, and insert the remainder chunk into free_list
Tiny mechanism
• When calling malloc, it will go through different processes according to
the size. When size < 1008 byte, it will use
tiny_malloc(tiny_malloc_should_clear)

• After finding the suitable chunk

• It will update the metadata(tiny_header_inuse_pair) and return the
chunk to user
Tiny mechanism
Region
block (inuse)
Block (freed)
…
tiny_header_inuse_pair_t
region_trailer
tiny_header_inuse_pair_t
Block (freed)
previous
next
msize
……
msize
……001011
……001001
chunk
magazine
padding
mag_last_free
mag_last_free_msize
mag_last_free_rgn
…
free_list[1]
…
free_list[x]
mag_bitmap[4]
mag_bytes_free_at_end
mag_bytes_free_at_start
mag_last_region
mag_num_bytes_in_objects
mag_bytes_in_magazine
malloc(0x20)
chunk
tiny_region_end
Tiny mechanism
Region
block (inuse)
Block (inuse)
…
tiny_header_inuse_pair_t
region_trailer
tiny_header_inuse_pair_t
Block (inuse)
User data
……001011
……001011
chunk
magazine
padding
mag_last_free
mag_last_free_msize
mag_last_free_rgn
…
free_list[1]
…
free_list[x]
mag_bitmap[4]
mag_bytes_free_at_end
mag_bytes_free_at_start
mag_last_region
mag_num_bytes_in_objects
mag_bytes_in_magazine
chunk
tiny_region_end
從 free_list 分配
Tiny mechanism
• When calling malloc, it will go through different processes according to
the size. When size < 1008 byte, it will use
tiny_malloc(tiny_malloc_should_clear)

• If there is no chunk available in free_list, it will allocate from
tiny_region_end if the size is enough.
Tiny mechanism
Region
block (inuse)
Block (freed)
…
tiny_header_inuse_pair_t
region_trailer
tiny_header_inuse_pair_t
Block (freed)
previous
next
msize
……
msize
……001011
……001001
chunk
magazine
padding
mag_last_free
mag_last_free_msize
mag_last_free_rgn
…
free_list[1]
…
free_list[x]
mag_bitmap[4]
mag_bytes_free_at_end
mag_bytes_free_at_start
mag_last_region
mag_num_bytes_in_objects
mag_bytes_in_magazine
malloc(0x40)
chunk
tiny_region_end
Tiny mechanism
Region
block (inuse)
Block (freed)
…
tiny_header_inuse_pair_t
region_trailer
tiny_header_inuse_pair_t
Block (freed)
previous
next
msize
……
msize
…1…001011
…1…001001
chunk
magazine
padding
mag_last_free
mag_last_free_msize
mag_last_free_rgn
…
free_list[1]
…
free_list[x]
mag_bitmap[4]
mag_bytes_free_at_end
mag_bytes_free_at_start
mag_last_region
mag_num_bytes_in_objects
mag_bytes_in_magazine
chunk
tiny_region_end
Allocate from tiny_region_end
block (inuse)
…
• When calling free, it will take the size of freed chunk and go through
different processes according to the size. If size < 1008 byte, it will use
free_tiny

• Size retrieval method (szone_size)

• tiny_size 

• Verify header and inused state first.

• Use bitmap of header to calculate size
Tiny mechanism
• When calling free, it will take the size of freed chunk and go through
different processes according to the size. If size < 1008 byte, it will use
free_tiny 

• free_tiny

• If msize < 0x10, it will swap freed chunk in cache with the current
chunk.
Tiny mechanism
• When calling free, it will take the size of freed chunk and go through different
processes according to the size. If size < 1008 byte, it will use free_tiny 

• tiny_free_no_lock

• Similar as glibc, it will merge previous and next freed chunk and clear inuse
bit .

• The way to find the previous chunk is to use the msize at the end of the
previous chunk 

• Use the size of chunk and address to find the next chunk

• It will unlink before merge
Tiny mechanism
• When calling free, it will take the size of freed chunk and go through different
processes according to the size. If size < 1008 byte, it will use free_tiny 

• unlink (tiny_free_list_remove_ptr)

• unchecksum 

• next & previous

• previous_next & next_previous ( next or previous not NULL)

• verify prev_next == next_prev == ptr

• Abort if any conditions above failed
Tiny mechanism
Tiny mechanism
Region
block (inuse)
…
tiny_header_inuse_pair_t
tiny_header_inuse_pair_t
magazine
padding
mag_last_free
mag_last_free_msize
mag_last_free_rgn
…
free_list[1]
…
free_list[x]
mag_bitmap[]
mag_bytes_free_at_end
mag_bytes_free_at_start
mag_last_region
mag_num_bytes_in_objects
mag_bytes_in_magazine
cksum | NULL
cksum | NULL
0x2
0x2
P
……001011
……001001
…
Q
Cache
free(P)
Tiny mechanism
Region
block (inuse)
…
tiny_header_inuse_pair_t
tiny_header_inuse_pair_t
magazine
padding
mag_last_free
mag_last_free_msize
mag_last_free_rgn
…
free_list[1]
…
free_list[x]
mag_bitmap[]
mag_bytes_free_at_end
mag_bytes_free_at_start
mag_last_region
mag_num_bytes_in_objects
mag_bytes_in_magazine
cksum | NULL
cksum | NULL
0x2
0x2
P
……001011
……001001
…
Q
Cache
Get size
Tiny mechanism
Region
block (inuse)
…
tiny_header_inuse_pair_t
tiny_header_inuse_pair_t
magazine
padding
P
P_msize
mag_last_free_rgn
…
free_list[1]
…
free_list[x]
mag_bitmap[]
mag_bytes_free_at_end
mag_bytes_free_at_start
mag_last_region
mag_num_bytes_in_objects
mag_bytes_in_magazine
cksum | NULL
cksum | NULL
0x2
0x2
P
……001011
……001001
…
Q
Cache
free(Q)
Tiny mechanism
Region
block (inuse)
…
tiny_header_inuse_pair_t
tiny_header_inuse_pair_t
magazine
padding
Q
mag_last_free_msize
mag_last_free_rgn
…
free_list[1]
…
free_list[x]
mag_bitmap[]
mag_bytes_free_at_end
mag_bytes_free_at_start
mag_last_region
mag_num_bytes_in_objects
mag_bytes_in_magazine
cksum | NULL
cksum | NULL
0x2
0x2
P
……001011
……001001
…
Q
Cache
check prev chunk
Tiny mechanism
Region
block (inuse)
…
tiny_header_inuse_pair_t
tiny_header_inuse_pair_t
magazine
padding
Q
mag_last_free_msize
mag_last_free_rgn
…
free_list[1]
…
free_list[x]
mag_bitmap[]
mag_bytes_free_at_end
mag_bytes_free_at_start
mag_last_region
mag_num_bytes_in_objects
mag_bytes_in_magazine
cksum | NULL
cksum | NULL
0x2
0x2
P
……001011
……001001
…
Q
Cache
check prev 

header & inuse
Tiny mechanism
Region
block (inuse)
…
tiny_header_inuse_pair_t
tiny_header_inuse_pair_t
magazine
padding
Q
mag_last_free_msize
mag_last_free_rgn
…
free_list[1]
…
free_list[x]
mag_bitmap[]
mag_bytes_free_at_end
mag_bytes_free_at_start
mag_last_region
mag_num_bytes_in_objects
mag_bytes_in_magazine
cksum | NULL
cksum | NULL
0x2
0x2
P
……001011
……001001
…
Q
Cache
clear header of P
Tiny mechanism
Region
block (inuse)
…
tiny_header_inuse_pair_t
tiny_header_inuse_pair_t
magazine
padding
Q
mag_last_free_msize
mag_last_free_rgn
…
free_list[1]
…
free_list[x]
mag_bitmap[]
mag_bytes_free_at_end
mag_bytes_free_at_start
mag_last_region
mag_num_bytes_in_objects
mag_bytes_in_magazine
cksum | NULL
cksum | NULL
0x2
0x2
P
……000011
……000001
…
Q
Cache
unlink previous of P
Tiny mechanism
Region
block (inuse)
…
tiny_header_inuse_pair_t
tiny_header_inuse_pair_t
magazine
padding
Q
mag_last_free_msize
mag_last_free_rgn
…
free_list[1]
…
free_list[x]
mag_bitmap[]
mag_bytes_free_at_end
mag_bytes_free_at_start
mag_last_region
mag_num_bytes_in_objects
mag_bytes_in_magazine
cksum | NULL
cksum | NULL
0x2
0x2
P
……000011
……000001
…
Q
Cache
merge
Tiny mechanism
Region
block (inuse)
…
tiny_header_inuse_pair_t
tiny_header_inuse_pair_t
magazine
padding
Q
mag_last_free_msize
mag_last_free_rgn
…
free_list[1]
…
free_list[x]
mag_bitmap[]
mag_bytes_free_at_end
mag_bytes_free_at_start
mag_last_region
mag_num_bytes_in_objects
mag_bytes_in_magazine
cksum | NULL
cksum | NULL
0x2
0x2
P
……000011
……000001
…
Q
Cache
check next
Tiny mechanism
Region
block (inuse)
…
tiny_header_inuse_pair_t
tiny_header_inuse_pair_t
magazine
padding
Q
mag_last_free_msize
mag_last_free_rgn
…
free_list[1]
…
free_list[x]
mag_bitmap[]
mag_bytes_free_at_end
mag_bytes_free_at_start
mag_last_region
mag_num_bytes_in_objects
mag_bytes_in_magazine
cksum | NULL
cksum | NULL
0x2
0x2
P
……000011
……000001
…
Q
Cache
Add to free_list
Tiny mechanism
Region
block (inuse)
…
tiny_header_inuse_pair_t
tiny_header_inuse_pair_t
magazine
padding
Q
mag_last_free_msize
mag_last_free_rgn
…
free_list[1]
…
free_list[x]
mag_bitmap[]
mag_bytes_free_at_end
mag_bytes_free_at_start
mag_last_region
mag_num_bytes_in_objects
mag_bytes_in_magazine
cksum | NULL
cksum | NULL
0x2
0x2
P
……000011
……000001
…
Q
Cache
Outline
• OSX memory allocator

• Tiny

• Data Structure

• mechanism

• Small

• Data Structure

• mechanism

• Exploitation
Small
• block

• The smallest unit can be
allocated

• A block size is 0x200 in tiny
region

• known as Quantum
block
Block
0x200
block
block
block
Small
• chunk (inused)

• Basic data structure used by
malloc

• Consisting of numerous blocks

• There is no metadata in the inused
chunk
block 0x200
block
block
block
Chunk
block
block
block
Small
• chunk (freed)

• Previous

• Point to previous freed chunk in
linked list

• Next

• Point to next freed chunk in linked
list

• It is different from tiny, it used raw
pointer
Previous
checksum (1 byte)
Next
Chunk
checksum (1 byte)
…
block
block
block
Small
• chunk (freed)

• checksum

• Unlike tiny , there is another byte
added here (but padding to 8
bytes)

• SumofEveryBytes(ptr ^ rack-
>cookie ^ rack)
Previous
checksum (1 byte)
Next
Chunk
checksum (1 byte)
…
block
block
block
Small
• chunk (out-of-band freed)

• Page aligned chunk is called oob
free chunk

• There is no metadata
…
…
…
Chunk
…
…
Small
• oob_free_entry_s

• Used to manage oob chunk

• Prev

• Point to previous same size freed chunk
in linked list

• next

• Point to next same size freed chunk in
linked list

• it also used raw pointer
Prev
Next
Ptr
0x0
0x8
0x10
oob free entry
Small
• oob_free_entry_s

• Ptr

• The index of the oob chunk in
the region

• The highest 1 bit indicates
whether it is oob free chunk
Prev
Next
Ptr
0x0
0x8
0x10
oob free entry
Small
• small_region

• The memory pool of libmalloc 

• Similar to tiny, but the block size
becomes 0x200

• Default 

• The size of region : 0x800000

• The number of block : 16319

• There are some metadata in the end
of region
Region
block (inuse)
Block (freed)
…
small_region_end
small_meta_words[]
region_trailer
Block (freed)
small_oob_free_entries[]
Previous
checksum (1 byte)
Next
checksum (1byte)
…
Small
• small_region

• small_meta_words[]

• msize_t array 

• Each element corresponds
to each block

• It contain chunk size and
inuse bit
Region
block (inuse)
Block (freed)
…
small_region_end
small_meta_words[]
region_trailer
Block (freed)
small_oob_free_entries[]
Previous
checksum (1 byte)
Next
checksum (1byte)
…
Small
• small_region

• small_meta_words[]

• The block corresponding to the
beginning of chunk(inuse) will
contain the size of the chunk

• The block corresponding to the
beginning and end of chunk(freed)
will store the size and flag of the
chunk.

• The highest 1 bit is used to
indicate whether it is freed
Region
block (inuse)
Block (freed)
…
small_region_end
small_meta_words[]
region_trailer
Block (freed)
small_oob_free_entries[]
Previous
checksum (1 byte)
Next
checksum (1byte)
…
Small
Region
…
Block (freed)
…
small_region_end
small_meta_words[]
region_trailer
Block (freed)
small_oob_free_entries[]
Previous
checksum (1 byte)
Next
checksum (1byte)
…
flag|msize
Block (freed)
flag|msize msize
Small
• small_region

• small_oob_free_entries[32]

• An array of oob_free_entry

• OOB chunk will be put here.
Region
block (inuse)
Block (freed)
…
small_region_end
small_meta_words[]
region_trailer
Block (freed)
small_oob_free_entries[]
Previous
checksum (1 byte)
Next
checksum (1byte)
…
Small
Prev
Next
Ptr
oob free entry
free_list[x]
Region
block (…)
Block (freed)
…
small_meta_words[]
region_trailer
Block (freed)
small_oob_free_entries[0]
small_oob_free_entries[…]
Block (freed)
oob chunk
Small
• magazine

• The structure used to manage the
chunk in the region of tiny and small

• mag_last 

• Libmalloc does not free the chunk
first but cache in mag_last_free.
When the next time you call free, it
will actually free the chunk

• Similar to cache
magazine
padding
mag_last_free
mag_last_free_msize
mag_last_free_rgn
free_list[0]
…
…
free_list[x]
mag_bitmap[4]
mag_bytes_free_at_end
mag_bytes_free_at_start
mag_last_region
mag_num_bytes_in_objects
mag_bytes_in_magazine
Smallmagazine
padding
mag_last_free
mag_last_free_msize
mag_last_free_rgn
free_list[0]
…
…
free_list[x]
mag_bitmap[4]
mag_bytes_free_at_end
mag_bytes_free_at_start
mag_last_region
mag_num_bytes_in_objects
mag_bytes_in_magazine
• free_list

• Linked lists to manage freed chunks

• Every 0x200 bytes as an unit

• Chunk size larger than small size will be
put in the last free_list

• Double linked list

• The first node will not point back to
magazine

• Simliar to tiny magazine
Small
magazine
padding
mag_last_free
mag_last_free_msize
mag_last_free_rgn
…
free_list[1]
…
free_list[x]
mag_bitmap[4]
mag_bytes_free_at_end
mag_bytes_free_at_start
mag_last_region
mag_num_bytes_in_objects
mag_bytes_in_magazine
NULL
Next
Ptr
oob free entry
Region
block (…)
Block (freed)
…
small_meta_words[]
region_trailer
Block (freed)
small_oob_free_entries[0]
small_oob_free_entries[…]
Block (freed)
oob chunk
Block (free)
Outline
• OSX memory allocator

• Tiny

• Data Structure

• mechanism

• Small

• Data Structure

• mechanism

• Exploitation
• When calling malloc, it will go through different processes according to
the size. When size > 1008 byte and size < 128k, it will use small_malloc
(small_malloc_should_clear)

• At first, it will check if (tiny_mag_ptr->mag_last_free_msize == msize)

• It will not unlink the chunk. In fact, this chunk is in the cache and is
not really free.
Small mechanism
Small mechanism
• When calling malloc, it will go through different processes according to the size. When
size > 1008 byte and size < 128k, it will use small_malloc (small_malloc_should_clear)

• If no suitable chunk in cache, it will find chunk from free_list
(small_malloc_from_free_list)

• It will take the first one from the free_list and check whether is oob chunk 

• normal chunk : do unchecksum for next pointer

• Oob chunk : take from next

• Do unlink

• It will check the double linked list (next_prev == ptr)
Small mechanism
• When calling malloc, it will go through different processes according to
the size. When size > 1008 byte and size < 128k, it will use small_malloc
(small_malloc_should_clear)

• It is same as tiny except that oob chunk will not do checksum
Small mechanism
Region
block (inuse)
Block (freed)
…
region_trailer
Block (freed)
chunk
magazine
padding
mag_last_free
mag_last_free_msize
mag_last_free_rgn
…
free_list[2]
…
free_list[x]
mag_bitmap[4]
mag_bytes_free_at_end
mag_bytes_free_at_start
mag_last_region
mag_num_bytes_in_objects
mag_bytes_in_magazine
malloc(0x600)
chunk
small_region_end
small_meta_words[]
small_oob_free_entries[]
flag|msize flag|msize msize
Block (freed)
Previous
checksum (1 byte)
Next
checksum (1byte)
…
Small mechanism
Region
block (inuse)
Block (inuse)
…
region_trailer
Block (inuse)
chunk
magazine
padding
mag_last_free
mag_last_free_msize
mag_last_free_rgn
…
free_list[2]
…
free_list[x]
mag_bitmap[4]
mag_bytes_free_at_end
mag_bytes_free_at_start
mag_last_region
mag_num_bytes_in_objects
mag_bytes_in_magazine
chunk
small_region_end
small_meta_words[]
small_oob_free_entries[]
0x3 0 msize
Block (inuse)
Previous
checksum (1 byte)
Next
checksum (1byte)
…
• When calling free, it will take the size of freed chunk and go through
different processes according to the size. If size > 1008 byte and size <
128k, it will use free_small

• free_small

• it will swap freed chunk in cache with the current chunk.
Small mechanism
• When calling free, it will take the size of freed chunk and go through different processes according to
the size. If size > 1008 byte and size < 128k, it will use free_small

• small_free_no_lock

• It is similar to tiny, there will be a merge behavior, and finally insert into free_list

• The way to find the previous chunk is to use the small_meta_word corresponding to the end
of the previous chunk to determine whether the previous chunk is freed and to get the
previous chunk size and position.

• The way to find the next chunk is to use the small_meta_word corresponding to next chunk

• It will merge previous and next freed chunk

• It will unlink before merge
Tiny mechanism
• When calling free, it will take the size of freed chunk and go through different processes
according to the size. If size > 1008 byte and size < 128k, it will use free_small

• unlink (small_free_list_remove_ptr)

• If is not oob chunk, it will do unchecksum. If it is oob chunk, it will take directly ptr

• next & previous

• previous_next & next_previous ( next or previous not NULL)

• Verify prev_next == next_prev == ptr

• Abort if any conditions above failed
Tiny mechanism
Small mechanism
Region
block (inuse)
Block (inuse)
…
region_trailer
Block (inuse)
P
magazine
padding
mag_last_free
mag_last_free_msize
mag_last_free_rgn
…
free_list[2]
…
free_list[x]
mag_bitmap[4]
mag_bytes_free_at_end
mag_bytes_free_at_start
mag_last_region
mag_num_bytes_in_objects
mag_bytes_in_magazine
chunk
small_region_end
small_meta_words[]
small_oob_free_entries[]
0x3 0 msize
Block (inuse)
…
…
…
…
…
free(P)
Small mechanism
Region
block (inuse)
Block (inuse)
…
region_trailer
Block (inuse)
P
magazine
padding
mag_last_free
mag_last_free_msize
mag_last_free_rgn
…
free_list[2]
…
free_list[x]
mag_bitmap[4]
mag_bytes_free_at_end
mag_bytes_free_at_start
mag_last_region
mag_num_bytes_in_objects
mag_bytes_in_magazine
chunk
small_region_end
small_meta_words[]
small_oob_free_entries[]
0x3 0 msize
Block (inuse)
…
…
…
…
…
Check prev chunk
Small mechanism
Region
block (inuse)
Block (inuse)
…
region_trailer
Block (inuse)
P
magazine
padding
mag_last_free
mag_last_free_msize
mag_last_free_rgn
…
free_list[2]
…
free_list[x]
mag_bitmap[4]
mag_bytes_free_at_end
mag_bytes_free_at_start
mag_last_region
mag_num_bytes_in_objects
mag_bytes_in_magazine
chunk
small_region_end
small_meta_words[]
small_oob_free_entries[]
0x3 0 msize
Block (inuse)
…
…
…
…
…
Check next chunk
Small mechanism
Region
block (inuse)
Block (inuse)
…
region_trailer
Block (inuse)
P
magazine
padding
mag_last_free
mag_last_free_msize
mag_last_free_rgn
…
free_list[2]
…
free_list[x]
mag_bitmap[4]
mag_bytes_free_at_end
mag_bytes_free_at_start
mag_last_region
mag_num_bytes_in_objects
mag_bytes_in_magazine
chunk
small_region_end
small_meta_words[]
small_oob_free_entries[]
0x3 0 msize
Block (inuse)
…
…
…
…
…
Set header & add to free list
Small mechanism
Region
block (inuse)
Block (freed)
…
region_trailer
Block (freed)
P
magazine
padding
mag_last_free
mag_last_free_msize
mag_last_free_rgn
…
free_list[2]
…
free_list[x]
mag_bitmap[4]
mag_bytes_free_at_end
mag_bytes_free_at_start
mag_last_region
mag_num_bytes_in_objects
mag_bytes_in_magazine
chunk
small_region_end
small_meta_words[]
small_oob_free_entries[]
0x8003 0x8003 msize
Block (freed)
Previous
checksum (1 byte)
Next
checksum (1byte)
…
Outline
• OSX memory allocator

• Tiny

• Data Structure

• mechanism

• Small

• Data Structure

• mechanism

• Exploitation
Outline
• Exploitation

• Tiny 

• Overlap chunk attack

• free_list overwrite attack

• Small 

• Meta word overwrite
Outline
• Exploitation

• Tiny 

• Overlap chunk attack

• free_list overwrite attack

• Small 

• Meta word overwrite
Exploitation
• Overlap chunk attack

• The goal is to create an overlap chunk and change other chunk content,
which is useful when you can use vulnerability to overwrite the size of
next chunk.

• The method is to use the vulnerability to overwrite the size and increase
the original free chunk and use merged feature to create overlap chunk.

• In addition, when calling free, it will check whether the ptr in the
cache is equal to the ptr to be free. If it is equal, it will be abort
(double free).
Exploitation
A
B
C
D
0x30
0x50
0x40
0x20
magazine
padding
mag_last_free
mag_last_free_msize
mag_last_free_rgn
…
free_list[2]
…
free_list[x]
mag_bitmap[4]
mag_bytes_free_at_end
mag_bytes_free_at_start
mag_last_region
mag_num_bytes_in_objects
mag_bytes_in_magazine
free(B)
01000100001001
01000100001001
free_list[2]
free_list[3]
free_list[4]
free_list[5]
…
Header
Inuse
Exploitation
A
B
C
D
0x30
0x50
0x40
0x20
magazine
padding
B
0x5
mag_last_free_rgn
…
free_list[2]
…
free_list[x]
mag_bitmap[4]
mag_bytes_free_at_end
mag_bytes_free_at_start
mag_last_region
mag_num_bytes_in_objects
mag_bytes_in_magazine
01000100001001
01000100001001
free(D)
free_list[2]
free_list[3]
free_list[4]
free_list[5]
…
Header
Inuse
Exploitation
A
B
cksum | NULL
cksum | NULL
0x5
0x5
C
D
0x30
0x50
0x40
0x20
magazine
padding
D
0x2
mag_last_free_rgn
…
free_list[2]
free_list[3]
free_list[4]
mag_bitmap[4]
mag_bytes_free_at_end
mag_bytes_free_at_start
mag_last_region
mag_num_bytes_in_objects
mag_bytes_in_magazine
01000100001001
01000100000001
Use A to 

overflow msize of B
free_list[5]
…
Header
Inuse
Exploitation
A
B
NULL
NULL
0x9
0x5
C
D
0x30
0x50
0x40
0x20
magazine
padding
D
0x2
mag_last_free_rgn
…
free_list[2]
free_list[3]
free_list[4]
mag_bitmap[4]
mag_bytes_free_at_end
mag_bytes_free_at_start
mag_last_region
mag_num_bytes_in_objects
mag_bytes_in_magazine
01000100001001
01000100000001
free(A)
free_list[5]
…
Header
Inuse
Exploitation
A
B
NULL
NULL
0x9
0x5
C
D
0x30
0x50
0x40
0x20
cksum | NULL
cksum | NULL
0x2
0x2
magazine
padding
A
0x3
mag_last_free_rgn
…
free_list[2]
free_list[3]
free_list[4]
mag_bitmap[4]
mag_bytes_free_at_end
mag_bytes_free_at_start
mag_last_region
mag_num_bytes_in_objects
mag_bytes_in_magazine
01000100001001
00000100000001
free(C)
free_list[5]
…
Header
Inuse
Exploitation
A
B
NULL
NULL
0x9
0x5
C
D
0x30
0x50
0x40
0x20
cksum | NULL
cksum | NULL
0x2
0x2
magazine
padding
A
0x3
mag_last_free_rgn
…
free_list[2]
free_list[3]
free_list[4]
mag_bitmap[4]
mag_bytes_free_at_end
mag_bytes_free_at_start
mag_last_region
mag_num_bytes_in_objects
mag_bytes_in_magazine
01000100001001
00000100000001
free(C)
-> process free(A)
free_list[5]
…
Header
Inuse
Exploitation
A
B
NULL
NULL
0x9
0x5
C
D
0x30
0x50
0x40
0x20
cksum | NULL
cksum | NULL
0x2
0x2
magazine
padding
C
0x4
mag_last_free_rgn
…
free_list[2]
free_list[3]
free_list[4]
mag_bitmap[4]
mag_bytes_free_at_end
mag_bytes_free_at_start
mag_last_region
mag_num_bytes_in_objects
mag_bytes_in_magazine
01000100001001
00000100000001
check prev
free_list[5]
…
Header
Inuse
Exploitation
A
B
NULL
NULL
0x9
0x5
C
D
0x30
0x50
0x40
0x20
cksum | NULL
cksum | NULL
0x2
0x2
magazine
padding
C
0x4
mag_last_free_rgn
…
free_list[2]
free_list[3]
free_list[4]
mag_bitmap[4]
mag_bytes_free_at_end
mag_bytes_free_at_start
mag_last_region
mag_num_bytes_in_objects
mag_bytes_in_magazine
01000100001001
00000100000001
check next
free_list[5]
…
Header
Inuse
Exploitation
A
B
NULL
NULL
0x9
0x5
C
D
0x30
0x50
0x40
0x20
cksum | NULL
cksum | NULL
0x2
0x2
magazine
padding
C
0x4
mag_last_free_rgn
…
free_list[2]
free_list[3]
free_list[4]
mag_bitmap[4]
mag_bytes_free_at_end
mag_bytes_free_at_start
mag_last_region
mag_num_bytes_in_objects
mag_bytes_in_magazine
01000100001001
00000100000001
remove B from free_list
free_list[5]
…
Header
Inuse
Exploitation
A
B
NULL
NULL
0x9
0x5
C
D
0x30
0x50
0x40
0x20
cksum | NULL
cksum | NULL
0x2
0x2
magazine
padding
C
0x4
mag_last_free_rgn
…
free_list[2]
free_list[3]
free_list[4]
mag_bitmap[4]
mag_bytes_free_at_end
mag_bytes_free_at_start
mag_last_region
mag_num_bytes_in_objects
mag_bytes_in_magazine
01000100001001
00000100000001
Unchecksum
Prev & next of B
free_list[5]
…
Header
Inuse
Exploitation
A
B
NULL
NULL
0x9
0x5
C
D
0x30
0x50
0x40
0x20
cksum | NULL
cksum | NULL
0x2
0x2
magazine
padding
C
0x4
mag_last_free_rgn
…
free_list[2]
free_list[3]
free_list[4]
mag_bitmap[4]
mag_bytes_free_at_end
mag_bytes_free_at_start
mag_last_region
mag_num_bytes_in_objects
mag_bytes_in_magazine
01000100001001
00000100000001
It need to brute-force 4 bit
Checksum
free_list[5]
…
Header
Inuse
Exploitation
A
B
NULL
NULL
0x9
0x5
C
D
0x30
0x50
0x40
0x20
cksum | NULL
cksum | NULL
0x2
0x2
magazine
padding
C
0x4
mag_last_free_rgn
…
free_list[2]
free_list[3]
free_list[4]
mag_bitmap[4]
mag_bytes_free_at_end
mag_bytes_free_at_start
mag_last_region
mag_num_bytes_in_objects
mag_bytes_in_magazine
01000100001001
00000100000001
merge & add to list
free_list[5]
…
Header
Inuse
Exploitation
B
NULL
NULL
0x9
0x5
C
D
0x30
0x50
0x40
0x20
cksum | NULL
cksum | NULL
0x2
0x2
magazine
padding
C
0x4
mag_last_free_rgn
…
free_list[2]
free_list[3]
free_list[4]
mag_bitmap[4]
mag_bytes_free_at_end
mag_bytes_free_at_start
mag_last_region
mag_num_bytes_in_objects
mag_bytes_in_magazine
01000100000001
00000100000001
free_list[5]
…
Header
Inuse
A
cksum | NULL
cksum | NULL
0xc
Outline
• Exploitation

• Tiny 

• Overlap chunk attack

• free_list overwrite attack

• Small 

• Meta word overwrite
• Free_list overwrite attack

• In fact, it is unlink attack but the trigger timing is in malloc. 

• It does not verified double linked list when tiny_malloc take free chunk from
free_list

• The method is to overwrite the prev and next of the free chunk. 

• The prev & next pointer is shifted right 4 bit pointer.

• It needs to hit the 4 bit checksum

• The prev will be written to *next.
Exploitation
Exploitation
• Free_list overwrite attack
Exploitation
A
B
cksum | NULL
cksum | NULL
0x5
0x5
C
D
0x30
0x50
0x40
0x20
magazine
padding
D
0x2
mag_last_free_rgn
…
free_list[2]
free_list[3]
free_list[4]
mag_bitmap[4]
mag_bytes_free_at_end
mag_bytes_free_at_start
mag_last_region
mag_num_bytes_in_objects
mag_bytes_in_magazine
01000100001001
01000100000001
Use A to 

overflow B
free_list[5]
…
Header
Inuse
Exploitation
A
B
deadbeef
target >> 4
0x5
0x5
C
D
0x30
0x50
0x40
0x20
magazine
padding
D
0x2
mag_last_free_rgn
…
free_list[2]
free_list[3]
free_list[4]
mag_bitmap[4]
mag_bytes_free_at_end
mag_bytes_free_at_start
mag_last_region
mag_num_bytes_in_objects
mag_bytes_in_magazine
01000100001001
01000100000001
malloc(0x50)
free_list[5]
…
Header
Inuse
Exploitation
A
B
deadbeef
target >> 4
0x5
0x5
C
D
0x30
0x50
0x40
0x20
magazine
padding
D
0x2
mag_last_free_rgn
…
free_list[2]
free_list[3]
free_list[4]
mag_bitmap[4]
mag_bytes_free_at_end
mag_bytes_free_at_start
mag_last_region
mag_num_bytes_in_objects
mag_bytes_in_magazine
01000100001001
01000100000001
free_list[5]
…
Header
Inuse
Check cache
0x5 != 0x2
Exploitation
A
B
deadbeef
target >> 4
0x5
0x5
C
D
0x30
0x50
0x40
0x20
magazine
padding
D
0x2
mag_last_free_rgn
…
free_list[2]
free_list[3]
free_list[4]
mag_bitmap[4]
mag_bytes_free_at_end
mag_bytes_free_at_start
mag_last_region
mag_num_bytes_in_objects
mag_bytes_in_magazine
01000100001001
01000100000001
free_list[5]
…
Header
Inuse
Malloc from free_list
Exploitation
A
B
deadbeef
target >> 4
0x5
0x5
C
D
0x30
0x50
0x40
0x20
magazine
padding
D
0x2
mag_last_free_rgn
…
free_list[2]
free_list[3]
free_list[4]
mag_bitmap[4]
mag_bytes_free_at_end
mag_bytes_free_at_start
mag_last_region
mag_num_bytes_in_objects
mag_bytes_in_magazine
01000100001001
01000100000001
free_list[5]
…
Header
Inuse
next =
unchecksum(target >> 4)
Exploitation
A
B
deadbeef
target >> 4
0x5
0x5
C
D
0x30
0x50
0x40
0x20
magazine
padding
D
0x2
mag_last_free_rgn
…
free_list[2]
free_list[3]
free_list[4]
mag_bitmap[4]
mag_bytes_free_at_end
mag_bytes_free_at_start
mag_last_region
mag_num_bytes_in_objects
mag_bytes_in_magazine
01000100001001
01000100000001
free_list[5]
…
Header
Inuse
next =
unchecksum(target >> 4)
It need to bruteforce 4 bit
Exploitation
A
B
deadbeef
target >> 4
0x5
0x5
C
D
0x30
0x50
0x40
0x20
magazine
padding
D
0x2
mag_last_free_rgn
…
free_list[2]
free_list[3]
free_list[4]
mag_bitmap[4]
mag_bytes_free_at_end
mag_bytes_free_at_start
mag_last_region
mag_num_bytes_in_objects
mag_bytes_in_magazine
01000100001001
01000100000001
free_list[5]
…
Header
Inuse
Next->previous
= ptr->previous
Exploitation
A
B
deadbeef
target >> 4
0x5
0x5
C
D
0x30
0x50
0x40
0x20
magazine
padding
D
0x2
mag_last_free_rgn
…
free_list[2]
free_list[3]
free_list[4]
mag_bitmap[4]
mag_bytes_free_at_end
mag_bytes_free_at_start
mag_last_region
mag_num_bytes_in_objects
mag_bytes_in_magazine
01000100001001
01000100000001
free_list[5]
…
Header
Inuse
target = deadbeef
Exploitation
A
B
deadbeef
target >> 4
0x5
0x5
C
D
0x30
0x50
0x40
0x20
magazine
padding
D
0x2
mag_last_free_rgn
…
free_list[2]
free_list[3]
free_list[4]
mag_bitmap[4]
mag_bytes_free_at_end
mag_bytes_free_at_start
mag_last_region
mag_num_bytes_in_objects
mag_bytes_in_magazine
01000100001001
01000100001001
free_list[5]
…
Header
Inuse
Set inuse and

return B to user
Exploitation
• Tiny

• In addition to the above two methods, the general unlink attack can
also be used, but it need to bypass two checksum checks (prev & next)
and the probability becomes 1/256.

• You also can overwrite the metadata in the end of region to create
overlap chunk.
Outline
• Exploitation

• Tiny 

• Overlap chunk attack

• free_list overwrite attack

• Small 

• Meta word overwrite
• Small 

• Basically, there are not many points that can be used. If you want to
achieve unlink attack, you need brute-force 2 bytes of checksum.

• If you arbitrary memory reading, you can calculate checksum and do
unlink attack.

• The more useful point is meta word overwrite, but you need to overwrite
the end of the region.
Exploitation
• Meta word overwrite

• Constructing a meta word causes malloc to take a fake msize and
create an overlap chunk
Exploitation
• https://opensource.apple.com/source/libmalloc/
Reference

More Related Content

What's hot

Play with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit TechniquePlay with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit TechniqueAngel Boy
 
Linux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingLinux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingAngel Boy
 
Modern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesModern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesMichael Scovetta
 
Return to dlresolve
Return to dlresolveReturn to dlresolve
Return to dlresolveAngel Boy
 
Linux Binary Exploitation - Stack buffer overflow
Linux Binary Exploitation - Stack buffer overflowLinux Binary Exploitation - Stack buffer overflow
Linux Binary Exploitation - Stack buffer overflowAngel Boy
 
Reliable Windows Heap Exploits
Reliable Windows Heap ExploitsReliable Windows Heap Exploits
Reliable Windows Heap Exploitsamiable_indian
 
Linux binary Exploitation - Basic knowledge
Linux binary Exploitation - Basic knowledgeLinux binary Exploitation - Basic knowledge
Linux binary Exploitation - Basic knowledgeAngel Boy
 
MySQL Buffer Management
MySQL Buffer ManagementMySQL Buffer Management
MySQL Buffer ManagementMIJIN AN
 
Binary exploitation - AIS3
Binary exploitation - AIS3Binary exploitation - AIS3
Binary exploitation - AIS3Angel Boy
 
twlkh-linux-vsyscall-and-vdso
twlkh-linux-vsyscall-and-vdsotwlkh-linux-vsyscall-and-vdso
twlkh-linux-vsyscall-and-vdsoViller Hsiao
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesPeter Hlavaty
 
イマドキC++erのモテカワリソース管理術
イマドキC++erのモテカワリソース管理術イマドキC++erのモテカワリソース管理術
イマドキC++erのモテカワリソース管理術Kohsuke Yuasa
 
Undo internalspresentation
Undo internalspresentationUndo internalspresentation
Undo internalspresentationoracle documents
 
JVM Mechanics: Understanding the JIT's Tricks
JVM Mechanics: Understanding the JIT's TricksJVM Mechanics: Understanding the JIT's Tricks
JVM Mechanics: Understanding the JIT's TricksDoug Hawkins
 
LLVM Register Allocation
LLVM Register AllocationLLVM Register Allocation
LLVM Register AllocationWang Hsiangkai
 
jemalloc 세미나
jemalloc 세미나jemalloc 세미나
jemalloc 세미나Jang Hoon
 

What's hot (20)

Play with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit TechniquePlay with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit Technique
 
Execution
ExecutionExecution
Execution
 
Linux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingLinux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend Programing
 
Modern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesModern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and Techniques
 
Return to dlresolve
Return to dlresolveReturn to dlresolve
Return to dlresolve
 
Linux Binary Exploitation - Stack buffer overflow
Linux Binary Exploitation - Stack buffer overflowLinux Binary Exploitation - Stack buffer overflow
Linux Binary Exploitation - Stack buffer overflow
 
Reliable Windows Heap Exploits
Reliable Windows Heap ExploitsReliable Windows Heap Exploits
Reliable Windows Heap Exploits
 
Linux binary Exploitation - Basic knowledge
Linux binary Exploitation - Basic knowledgeLinux binary Exploitation - Basic knowledge
Linux binary Exploitation - Basic knowledge
 
MySQL Buffer Management
MySQL Buffer ManagementMySQL Buffer Management
MySQL Buffer Management
 
Glibc malloc internal
Glibc malloc internalGlibc malloc internal
Glibc malloc internal
 
Binary exploitation - AIS3
Binary exploitation - AIS3Binary exploitation - AIS3
Binary exploitation - AIS3
 
How A Compiler Works: GNU Toolchain
How A Compiler Works: GNU ToolchainHow A Compiler Works: GNU Toolchain
How A Compiler Works: GNU Toolchain
 
twlkh-linux-vsyscall-and-vdso
twlkh-linux-vsyscall-and-vdsotwlkh-linux-vsyscall-and-vdso
twlkh-linux-vsyscall-and-vdso
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
 
イマドキC++erのモテカワリソース管理術
イマドキC++erのモテカワリソース管理術イマドキC++erのモテカワリソース管理術
イマドキC++erのモテカワリソース管理術
 
Undo internalspresentation
Undo internalspresentationUndo internalspresentation
Undo internalspresentation
 
JVM Mechanics: Understanding the JIT's Tricks
JVM Mechanics: Understanding the JIT's TricksJVM Mechanics: Understanding the JIT's Tricks
JVM Mechanics: Understanding the JIT's Tricks
 
Kernel Pool
Kernel PoolKernel Pool
Kernel Pool
 
LLVM Register Allocation
LLVM Register AllocationLLVM Register Allocation
LLVM Register Allocation
 
jemalloc 세미나
jemalloc 세미나jemalloc 세미나
jemalloc 세미나
 

Similar to MacOS memory allocator (libmalloc) Exploitation

Similar to MacOS memory allocator (libmalloc) Exploitation (20)

Understanding DLmalloc
Understanding DLmallocUnderstanding DLmalloc
Understanding DLmalloc
 
#GDC15 Code Clinic
#GDC15 Code Clinic#GDC15 Code Clinic
#GDC15 Code Clinic
 
A survey on Heap Exploitation
A survey on Heap Exploitation A survey on Heap Exploitation
A survey on Heap Exploitation
 
Bohan pac sec_2016
Bohan pac sec_2016Bohan pac sec_2016
Bohan pac sec_2016
 
Dynamic Memory Allocation(DMA)
Dynamic Memory Allocation(DMA)Dynamic Memory Allocation(DMA)
Dynamic Memory Allocation(DMA)
 
C dynamic ppt
C dynamic pptC dynamic ppt
C dynamic ppt
 
4 dynamic memory allocation
4 dynamic memory allocation4 dynamic memory allocation
4 dynamic memory allocation
 
Matlab pt1
Matlab pt1Matlab pt1
Matlab pt1
 
Introduction to Blockchain & development
Introduction to Blockchain & developmentIntroduction to Blockchain & development
Introduction to Blockchain & development
 
Computer organization memory hierarchy
Computer organization memory hierarchyComputer organization memory hierarchy
Computer organization memory hierarchy
 
Lecture 25
Lecture 25Lecture 25
Lecture 25
 
Dma
DmaDma
Dma
 
cache memory
 cache memory cache memory
cache memory
 
JVM Garbage Collection Tuning
JVM Garbage Collection TuningJVM Garbage Collection Tuning
JVM Garbage Collection Tuning
 
Blockchain - a simple implementation
Blockchain - a simple implementationBlockchain - a simple implementation
Blockchain - a simple implementation
 
Hoard_2022AIM1001.pptx.pdf
Hoard_2022AIM1001.pptx.pdfHoard_2022AIM1001.pptx.pdf
Hoard_2022AIM1001.pptx.pdf
 
Functions with heap and stack
Functions with heap and stackFunctions with heap and stack
Functions with heap and stack
 
Mathemetics module
Mathemetics moduleMathemetics module
Mathemetics module
 
Data Structure - Dynamic Memory Allocation
Data Structure - Dynamic Memory AllocationData Structure - Dynamic Memory Allocation
Data Structure - Dynamic Memory Allocation
 
Stack & heap
Stack & heap Stack & heap
Stack & heap
 

Recently uploaded

Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsYoss Cohen
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...Karmanjay Verma
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
Dynamical Context introduction word sensibility orientation
Dynamical Context introduction word sensibility orientationDynamical Context introduction word sensibility orientation
Dynamical Context introduction word sensibility orientationBuild Intuit
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Laying the Data Foundations for Artificial Intelligence!
Laying the Data Foundations for Artificial Intelligence!Laying the Data Foundations for Artificial Intelligence!
Laying the Data Foundations for Artificial Intelligence!Memoori
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...amber724300
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
 
QMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdfQMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdfROWELL MARQUINA
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessWSO2
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...BookNet Canada
 

Recently uploaded (20)

Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platforms
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
Dynamical Context introduction word sensibility orientation
Dynamical Context introduction word sensibility orientationDynamical Context introduction word sensibility orientation
Dynamical Context introduction word sensibility orientation
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Laying the Data Foundations for Artificial Intelligence!
Laying the Data Foundations for Artificial Intelligence!Laying the Data Foundations for Artificial Intelligence!
Laying the Data Foundations for Artificial Intelligence!
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
QMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdfQMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdf
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with Platformless
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
 

MacOS memory allocator (libmalloc) Exploitation